Commenting on the dominance of RSA's BSAFE implementation code, with
nearly a half-billion installations, Eric Rescorla <[EMAIL PROTECTED]> wrote:
>> >Hmmm. ITSM that most of these installs are in Netscape and/or
>> >Internet Explorer. It has long been my impression that the Netscape
>> >and MS engineers only used BSAFE because they were absolutely forced
>> >to. Moreover, it's significant that Netscape (at least) made very
>> >significant modifications to BSAFE in order to incorporate it into their
>> >products. Perhaps Tom Weinstein is around and can explain why.
Vin McLellan <me> replied:
>> I'm sure the majority of these installs are browsers. (Although
>> there *are* well over 600 other OEMs which install RSA's BSAFE
>> cryptographic code in multiple products.)
>>
>> With respect, however, I think this babble about Netscape and MS
>> being "absolutely forced" to use BSAFE code is silly and naive. It's part
>> of a myth that has been manufactured by people who can not accept that
>> proprietary crypto libraries have been, and are (even now!), often the
>> preferred choice of OEMs -- for good and sensible reasons.
To which (in what seems to me a non-sequitur) Mr. Rescorla retorted:
>This does not mesh with my experience.
>
>RSA has historically made it very difficult to get patent licenses,
>prefererring to encourage the use of BSAFE. When I worked for Terisa,
>we explicitly told them we wanted a patent license and were told
>we had to use BSAFE. I have heard similar reports from other people.
Are we talking about two separate things here?
I never said that RSADSI (or RSAS today) had been lobotomized!
Of *course,* RSA did what it could to maximize its market advantage,
and that included a lot of clever things. (Spinning off VeriSign to
capture the certificate business may have been the most far-seeing and
successful, IMNSHO.)
Of *course,* RSA much prefers to license its BSAFE toolkit -- as
opposed to giving a full patent license which would allow a licensee to code
its own version of RSApkc or the other Ron Rivest ciphers.
(The broader the BSAFE user base; the greater the value of BSAFE
compatability; and the greater the demand for BSAFE. It's the market
ecology of a network, yes?)
1. What I challenged was your declared "impression" that Netscape
and Microsoft had been "absolutely forced" into using BSAFE, RSA's code
library, when they coded SSL into their respective browsers and web servers.
It just doesn't seem to make sense.
2. Netscape, as Tom pointed out, would have been foolish not to use
BSAFE. (Cryptography, as Bruce Schneier put its, is hard. And what
startup can afford to reinvent the wheel?)
3. Microsoft had a choice. MS already had the licenses from RSADSI
that would have allowed them to code their own RSA ciphersuites for SSL. MS
also had a BSAFE license. Microsoft chose to rely on the BSAFE code.
4. Ok, RSADSI may have irritated hundreds of c0rporate negotiating
teams with its inquisitive and demanding (2 percent; a "piece of the pie")
licensing policies on RSApkc.
5. Ok, RSADSI may have irritated hundreds more by pushing BSAFE and
making a full RSApkc patent license (or an RC2 or RC4 license) difficult to
get.
6. Microsoft, however, was always too damn big for little RSA to
bully or "force" it into anything;-) Makes sense, right?
_Vin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
